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on die stub network arc assumed to We^yT^ r^^^« t ^ ^ ^ ^ 
router for any global coininumcationTon IS ? """S" Md «l y on the DNAT 

the stub nctworS is acco^ed^r aS^, * u^.""" ° f ffsec ' for hosts on 

ofthehosts. The new nZod^cS Stn^ES be *-* members and local IP address 
elements: 1) address Im^SStm^SS^ ? ^ ° NAT by ^ 

^^t-tthehos^S 

may vouch for the identities of hnsia m, it* e *,h If , 38 a IocaI ce «ificate authority that 

.pace which maSSl^^SiS^^ 10 bind a ^ key to a naL 
router issues the certificates, and nS? fSS^EZZfc ** ° f J™ ^ ^AT 

'°^cate,anylocdho^ 

any other host (or security eatewavl on ft* Tnt-JT* ^ri . T L «™auon point of an SA to 

eilishmenr and ^In^mAT^^* T^r*" * * ^ ***** SA 
Mobile ff. raUters - 11113 raetttod WJ1 also work when DNAT is used with 
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Introduction 



partcipate in, the critical and sensitive operations that ZIZ S coaBecbM1 "dpomts have access to, and 

confidenceintnesec^o^^ 

Tie 

networks, different address spaces could be ^vmLJ^L^ T? ly 35 ±e NATl *«»c«fcnof IP 
the local address space mayteu^d ? J^ Z^u ^^l^ ^ * *° ^ 

LAN) ^asfcglegfcbanyro^^ 

which are only locally routable (Le„ within the stub network t u ! netWOrk 15085855 ff ^sses 

NAT. fa the latter case, the NAT is required to su^ete^^f^tl * pBwU « d * e 

long tune required for the transition from IPv4 to IPv6 !^ ^ ffv6 networks dunng the potentially 

specific ^iplesofiPsecwh^ 

over the IP network. establishment and maintenance of secure end-to-end connections 

fcra of NAT, called DNAT, previous^. described^S^?^ *t>"etae craflsundon which uses . dislntattd 
v ^ ^ ro "se a mapping between an EPsec-specific identifier 

inventors' initials / </ j/Q t&> /C 
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IPsec: The Essentials 

» b. one wi* . singE ™ SltS^f ,e ' :,m ' , """"^ 1 "x* con >'»" " 

(^sntKmalmeaclieadpoimofawcooMaioii. me ™^' mm «P'«°<^«remiplinKrodard 
Dmikd description, of IPs*. and roUttd ^ eM be ^ ^ ^ rrfiaracB p. 8] 
For to pnrposos of this JW^ we fccos ^ „ Wo Mq ^ roIl6 „ hidlareiddrassdl>)tni!ec: 

authentication and tMStySottcSoa. S^r^Z ^? T"** ""W" P"*"** * well as opnoni 

feint/ FaruneK, Index (SPI), wnich is a unique ideuufc S *. S * °° m5ncal aUed "» 

(be header also contains otWfUd. » A^-.IZr^rr^'.^ ™ r " emn * I™- ««h the security association 

*> tenninano. points (end systena int^oT^s^S^^L^ '"«'*-* con.binaoT^ 
— * fa stag le sa deft* fc ^ £ J ^"^"^ ^ca,etf<unne lra> de 

A -nyij'secservjces, one of die ent^oints sends IP 

inventors' initials /ffi ^fol _ 
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packets, the other receives them. Since an SA is rmiAir,^^} „ - 

creations. It is also possmle to co^ S£ of^T^LTw^^^^ 56 ^^^ 
multiple SAs. * ™unpie layers of IPsec protocols between two endpoinrs by combuung 

upon iafcnnaiion contained in the packet A sto^n^St ^ ^ and order of the processing required based 

multiple-SA prottctioniteranvdy.onelA ^7lZ ITI^ t ^ ^ -^applies 
deterrnined according to parameSs carried rSSte-fS 1ST Z^?* C0 *M™*> a of SAs applied is 

these parameters, called selectors in £^ tf L*lt^7 TCP " teadcr of 

Output IPsec processing uses the sdectors as a «S £ £ £££13 ^ TCP " UDP P ort 
- basis. Additional SAs may also be applied by other col^T f ? processing options on a packer-by-packet 

F"^*o» WM ^ TTae result is sec 

authentic) the protection for each £el rf^ SSSSStSJ 1 *?? T.? "u^" ^ and/or 
ffsec entity is uniquely identified by the cornbinaToV^^^^ ** f *™*» at a 
ftree pieces of information are earned in evexy mcon^gCfet aScii^J Stf * mdSPL 
determine each SA associated with a given packet by^^lTV ? ^ 3nd living system to 

computer to process the SA protection ^hed bTthe s^^Z^TIfl' ^ aU0WS * e receiv ^ 

mput processing may be an 5> packet ftWi, fo^dTo a s U h.ZS L ^ " * SBCU,ity *» «■* of 

done. Further details of IPsecLw 

^ 

^enthetwosysteLastow^^ 

parameter values, and SPI assignment Tne7ufcenticaZ ™! *T , ^ fc * B,afiB and associated 

counterpart duru^negot^on^^ 

Task Force released the hS^^^S^t^r^r^ ^ Engineering 
of ISAKMP and IKE are maMoS^SS^SS^^ ™t *** ISAK ^-^ opStion 

the two endpoints, in which an i^«^£SS^T^r " ' J?""* of si 6 nalin S between 
Once the signaling is complete, both -55S£S5 Lte S ? \ r fP onder - counter-proposes, 

information, and are ready to send/recerve Z A^A J^f' ^vam security parameter 

Certificate Authority, or L. Each ^^S^^SStT "^' 8d * ^ ^ tte 

pair, and has its public key "notarize? U £ Si S " ffseC genfiratts a Public/private key 

certificate, andreturns it tithe owner offt 

owners. At some point during SA neeodation^eS.1 i- ?° * Mnie s P acc binding public keys to their 
encrypted with taU^^ST^SS^^^^f ^ ■ is 

sender's public key from fa certificate to vaSml^l ? f ^ (oae at »* 

initiator (seuder)nas access to the £vate ke^h e J" nghttouseitsIP address. Since only the 

identity. Here, "identity refers onh, to SadoS* • I ^ VOTfied ^ signfltUre ' « c ««ain of the initiator's 
public keys to their owners. nA cS^^S^ ff ^Z 0 ™ fc ^ ^ ^ to ^md 
The result of these negotiation and aumenrS SS£ & a ' ^ which ^ ^ ^ became invalid, 

requirement (2) above. procedures is a secure connection that satisfies the properties of 

NAT and Why It Doesn't Work With IPsec 

ay uiaoie if address. Each local host has a local-only IP address for 

inventors' initials 
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communication with its peers on the Latsi a i 
When a local host has an IP nacker hi „ „ PA . , 

source and the global IP addSof Se^t to ifS ? " itS QWn IocaI E> address as the 

global IP network by its d^tion^cS aS^,] a ^? h ^ NAT router recognizes the packet as bound for ^7 
- samen^itreco^thesourceTCP^p^l? t ^^ e , ff ^ S ^ toofibe ^ interface. Atto 
address of the source ha*T^™£i^^** ■? the pon number with the lo£ £ 

*^^atthe N ATrouter^ Tl* s*te infonnation 

^AT^^ 

•banged to thatof the local ho* ^ £5c££ sinX^So fI*J^ * IP address ^ be 

also be required. X niooincauons similar to those done for transmission to the external network may 

In very shnplified tenns, the™ are tw 0 tad«^ ^ ^ NATdo«^ wMi rft,,. 

First, the NAT router needs to modify the IP oacket m , . 

anywhere along its path to the lhS£i£^ cTeaSyle £5 ^JHt! IT ""J* by * era " bc modified 
not need to modify the packets it forwards, COndition ' Evea tf *• NAT ««• dU 

hos.th.enur^wmbe encrypted,,^ 

Sr^b^ ^edonotcornpriseaname 
the authentication necessary ^JL^VS^^^Z^ T ^ * * F»*» 
of the* counterpart, and thus cannot establish a secure andtuslj ^ ^ ^ ^ ° f ^ 

Summary of DNAT 

^n^S^ 

performs the address mappings do7 0 21 ^ NAT > ™AT alio w 5 the router which 

payload). ThWoniy^;^ 

elininatesu^firs^ftLchiefo^ 

modify all IP packets that it An^^SS^ 

more complete description can be found *" abbrcvi3te d description of how DNAT works; a 

inventors initials ^ ^ ji/jS ^ /^Ifffl 
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mapping between local host IP SSS ^u^^efbir^^ ^ ^ Md « add *« 

external internet a pon number is used by the router to route packets between local hosts and the 

*or^a^ Hostsmay 

and must ensure that no port number iszv^lZ^^T* n P0rtmuabe « 10 addresses, 

packetboundfortheex^alinterneir^^ Whim transmitting a 
arable) to one of the port nuS 

to the router > global IP address; the destination £ Z£l T"? ^ ^ IP packet header 

- .«*a^lPb^i*ai^ Then the host prepends 

local IP address is the destination. The idJb^^Z^A^ S0Uree ' ^ *» DNAT ™uter's 

global IP packet to be tunneled £ dSKS ^SjSSSSi?-? ^ * header causcs * e encapsulated 

then forwards the rexnairnng ip packet*^ SSSlS* ^ NAT 0Bter (I ° Cal > * 

addresses. This local IP S^^^Sh^TT P« ™*« ^ local host IP 

fceloca^der,^ 

source of the packet (e.g., the remote server or host) has set to dtnStionT^^P ' ° f T**' hersthatthe 
in the packet received from the local host (via the D^tZ^ T vl^^ pOTT nmnber » source port number 
(see item 5 in the list below). DNAT router). The validity of this assumption is briefly addressed below 

externalint^wh^^ 

packets (in ei th er direction) without the J^Z^%7f Z ^T^f A 7 S t D ^ ^ t0 
does need to access information in TCP/UDP headerT Th£ ZZ? : . AT Wlthout ffsec « m * DNAT router 

later in this disclosure show howTo S P^)^eZ eleS'of DNaT ° f ^ ^ **** 
numbers (as allocated by the DNAT router), porTnum^ loc7ff ^ of DNAT are non-overlapping blocks of port 
localhostparticipation^DNATpro^ and 

either implied re^enH^SntS^ *™ ^ 10 D * AT = "ther, the^ 

layer. ffsec ' me ^ s ™"er's DNAT processing must reside above the £p 

as the destination port in any reply packed ^y^r^^^ V"" 0 * ( SyStKn " ^ be 
requirement raises the generalise > of ^SSX^ST^^^ * re 1 uinanent of ^ PwtocoL This 
*ey are connmnicating^a h^ ^l^JSSS^^T^ * *» 

However, the DNATmethod of port mS^taltS?^^ F ° r ^ » «Ny 

P numoer ir address mappmg, which requires no packet modification by the DNAT 

inventors' initials _rM j^Q If* j^Sfk ,r 
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IPsec Across a DNAT Network 

^?CmT^^ 

- overlapping ranges of SPI values. When a J^nLst" 1 Ioc l hosts ™ ^ stub network blocks of non- 

P f«* ^ ensures that the SPI ^Z^^l^^TJ % ' ™« ^"-n » the global 
is taken to mean an SA that terminates at me IZ I? ^ ,UoCMBd block of m vaIues - Here, incoming SA 
the SPI is selected by the remote ^^^t^^^ ^^^ * ** h ^ £2? 
^cb^SAswinchtermmate^^ JSn^lS^f ^™ 1S ' to ^ °f ^pie leveLf 
»* to use an SPI selected from the allocated uSrfS^S? S 7^°™^ ^ *» Up P emost leveI ^ 
of the associated IP packet For the uppermost le^l of SA ^^SP^^redin the IP sec protocol header 

combfcations of protocol and mode. Therefore 2 DNAT ^17* for any and all 

level SA associated with any incoming IP pacSt ^ ^ to me SPI in the uppermost 

does not look at TCP or UDP port numbers (Z^nM evenly ^ * of ^ 0ver DNAT, the DNAT router 
packets, the DNAT router sunpTy rmm^Sm^SL T f * ? J* 0836 ° f ffsec ESP >- For «**g 
network interface; the SPI iXou^S Z^^S ^ ^ ** P*** on its H 

DNAT router maintams a mar™ berSc^ S ,1", ^ nas no use in this scheme. For mcoming packets ft. 

external, global IP ^^^N^^ ^Z^Z. T ^ SW ^ ^ a arrives fom t£ 
tb* header is always in the clearXLTS "e^Tvtn^S , " f^' T"** *™ As noted, 

consequence to this mapping rneLd)^^^l^T^ ^ ***** below ±e 0tttemosl °™ * of no 

host The local host removes the runnel iJS^mS!^ J" ^ ^ ^ packet * foiWffded ^ the local 
any ofthc received packer's corner. ^ PaCkct 35 ^ ™ e DNAT router never need, to modify 

without IPsec. This is because once a ^^TjZ^T^Z^ ""V™- * * done in DNAT 
processed by IPsec, the original IP header, TCMmtSmE JLZ ^ * ' T " mm < 0n network) and 

parncular.itmu^notbepoUleforrwoorS In 
number, since the D» packets mat thev constau* mi^T * LAN to be able to use the same source port 

multiple local hosts w^altow^ wouS SJTT"* "J^?* * °" ° f ** — ' souree P« by 
with the same application on melaL SSZZ tS l*f ~ ^ hasts «**Pted to conumnucate 

Jere « no way to distinguish which arriving packeLarl ,! ^ t ,P roce ^ « the remote system is complete, 

Thus, the protocol of using auocated Uocfc SEES? £ f ° r S0Urce P°« 

is rnamtamed when ffsecfa impIenX ^ 

theDNATmuter. P mcme0 °° * e ^A*- However, source port is no longerused for the address niapping by 

The port numbers are also required for outmit n>s«. * u 

DNAT LAN. As briefly described above^^ramlters^fflrri^m es^ r ^ Ie * Vste ™ for packets destined to local hosts on the 
whatoutputPsecpr^ess^^ 

u »pacKeioy-pacJcrt basis. If the remote system renninates IPsec 

inventors' initials WW ^fe ^5 j^M ,r 
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commons with more than one local host od a DNAT LAN, port number is, again, the only way to distinguish to which host 
eachpacket should be sent, smce the source IP address for all such packets is tile same (Le. F the ff ad^Tf^DNAT 

(see thecoma oil NAT-fhendly" applications in the summary of DNAT above). With proper fLrine by selectors 
^ ™ 0 vf P m " DNAT ° f SM * l0CaI ^ ff address Proceed 

In short, forwarding/routing in toe case of IPsec over DNAT looks just like DNAT, except that SPI is used instead of TCP or 

SSTS? T f * ^J""^ ** requirea read access °* to *■ SPI m ae Protocol header 

- (which is always m the clear). Source ports are still used to disambiguate connections by the remote server. 

Therernaini^ This problem is solved by: l)modifyh,g the name space for binding 

pubhc keys to the identities of their owners; and 2) configuring the DNAT router to act asaLocal Certifica* aIuStP 

wluch its public key mat is bound tote 

SEES"? ?"t TV** tW °*V iiaaea *-- I) it ™* Provide any local host on any stub network a globally- 
unique identifier that inc udes the external IP address of the DNAT router; and 2) for each local host, it must include th7 

^hve idenh^ For the purposes of fllustratioa within this disclosure, we shall choose a name space costing offce 

Se^T % mIt™** ' ttd l0Cal * address - ™ ^erS global by WrVo7 

fte umqueness of foe DNAT router s global IP address, and the uniqueness within the stub network of the host's local IP 
address. Any local , fart : on the DNAT stub network that wishes to participate in IPsec begins by receiving its allocated block 

S^Sv SSVi? TZ? ^ ?! LCA (CODfigUred ° n &e DNAT in the same way Lt the DNAT router Z its 
CS^l^ 1 8 h Sr IeVel ^ 11,81 *» 10011 11054 » « a certificate b y LCA which contains a binding 

Protocols Mgotiat,on between » local host and remote computer on the global IP network proceeds as defined by the IPsec 

^ eosures me remote s y stem that the local host has the right to use the global IP address of the DNAT 

JZ ESS m ! nt * C rnn0te V*" 1 411 * e Iocal host has the right to use the range of port numbers- 

^ # m mose to the local host It also provides a method for LbnnmgX 

™TJ^T I 13 " 86 ° T £ PDlt i nUa ? eiS 431 ^ A be ^iated with the local host As described above, port numbers are 
required to dtsambiguate IP packets from/to hosts on the DNAT LAN, for input/output IPsec processing. 

Note (hat port number maintenance by the DNAT router includes both allocation and de-allocation, and can be fairly ' 
djman^ Ucal hosts can request additional port numbers, and the DNAT router can render an allocated range invalid (de- 
tZZSZt 55 S ,\ C * T^** *? additional certifi "t« nmst be issued by the LCA for each allocation of port 
numbers to a local hos t In addition, the DNAT router must maintain a list of all certificates issued to its local hosts, and 
ensure that the associated pom are never de-allocated as long as the certificates with bindings to these ports are still valid. 
Atoatrvely, rf the DNAT router is allowed to ^allocate ports, it must revoke any certificates with bS g "±Je ports 
SESTET T* mClUd , e ""J"*" * all remote systems that have active SAs established with L local hosts " 
MmT^Cc^. 1EZ t Tit ^°f kMi ^ revocari » ™> b. required, for example, when a local 

■^—.^ jjjL ±>_ M _ Page 14o f i£ 
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This method of authentication is not restricted to the form of the name space described above. For example, a combination 
of the DNAT router's global IP address and user email address (where the user is on the local host) would also work. The 
only constraint is that the DNAT router acting as an LCA must possess a valid certificate giving it the right to certify 
identifiers drawn from the chosen name space. It should also be noted that this method can be made work within the scheme 
disclosed by the authors in which Mobile IF is integrated with DNAT [9]. In this case, the mobile node's home agent is also 
its LCA. The name space identifier used for illustration in this disclosure is a concatenation of die home agent's global IP 
address and the mobile nodes local address on its home network. This information is available to the mobile node even while 
it is roaming (ie., temporarily residing on a foreign network). Therefore no aspect of Mobile IP integrated with DNAT as 
described in the above referenced disclosure precludes the implementation of IPsec with DNAT as presented in this 
disclosure. That is, the method presented here also extends to IPsec within the context of Mobile IP, allowing a mobile node 
to maint a in an IPsec-protected connection while it is roaming. The only requirement is that die mobile node's home network 
-is managed as a DNAT stub network in which the mobile node resides as a local host when it is not roaming. 

Finally, we note that the concept of using a modified name space to provide a unique identifier to a computer that lacks a 
globally unique IP address is not restricted to a design based upon the LCA. It also possible to define a global CA using a 
modified name space, and eliminate the need for the LCA. However, such a name space is insufficient for the DNAT 
environment, since it does not include port number, and hence the guarantee to the remote system that a local host has the 
right to use a specific port number. Aside from this shortcoming, the method of configuring the DNAT router to act as an 
LCA is proposed here in order to supply a completely described system for implementation. Also, since stub networks exist, 
and DNAT is a method for sharing global IP addresses within stub networks, the LCA approach described here provides an 
implementation path that would build upon an existing infrastructure, rather than requiring a new and undeveloped 
infrastructure. That is p if a DNAT system is built to solve the problem for which it was designed, IPsec could be made to 
work with it without requiring a new infrastructure to support a global CA with a modified name space. 
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